- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Switch Shield Support (DDoS Protection using Switch Capabilities)
05/06/2020 
0 People found this article helpful
35,142 Views
Description
This feature provides protection from a Denial of Service attacks that make the firewall too busy to provide service. This feature was introduced in the 6.5.3.1 feature release and available on all versions post that.
NOTE: This feature is supported on NSA 3600 through NSA 6600, NSa series, and SuperMassive series platforms. For the NSA 6600 and other platforms that do not have ports connected through the Broadcom switch (directly connected ports), this feature applies only to ports that are connected through the Broadcom switch (indirectly connected ports).
Resolution
To enable Switch Shield protection:
- Navigate to MANAGE I System Setup | Switching | Switch Shield.
- Select the Switch Shield options to be enabled. To protect against:
- IP packets in which the source IP equals the destination IP, select SIP = DIP for IPv4/IPv6 packets
- TCP Syn fragmented packets, select TCP Syn Frag Packets
- TCP packets without control flags or sequence, select TCP packets with control flags = 0 and sequence number = 0
- TCP packets with FIN, URG, and PSH bits enabled and the sequence number equal to 0, select TCP packets with FIN, URG, and PSH bits set and sequence number = 0
- TCP packets with SYN and FIN bits enabled, select TCP packets with SYN and FIN bits are set
- TCP packets with the source port equal to the destination port, select TCP Source Port = TCP Destination Port
- TCP packets with a partial (< 20 bytes) header, select First TCP fragment does not have the full TCP header (less than 20 bytes)
- TCP header offset equal to 1, select TCP header has fragment offset value as 1
- UDP packets with the source Port equal to the destination port, select UDP Source Port number = UDP Destination Port number
- Fragmented ICMP packets, select Fragmented ICMP packets
- Packets in which the source MAC address equals the destination MAC address, enable MAC SA == MAC DA
- IPv4 first fragment, select IP first Fragment Check
- Oversized or big ICMP packets, specify the maximum packet size in the:
- Large ICMPv4 packet size field
- Large ICMPv6 packet size field
- Invalid TCP headers, specify the minimum header size in the Minimum TCP header size field
- Small IPv6 fragments, enter the minimum fragment size in the IPv6 minimum fragment size field
3. Click ACCEPT.
TIP:(SIP = Source IP address, DIP = Destination IP address, SA = Source address, DA = Destination address).
Related Articles
- All associated wildcard FQDN IP addresses do not display in the web browser
- How to Re-Install The Junk Store
- SonicWall NSv Series FAQ
Categories
- Firewalls > NSa Series
- Firewalls > SonicWall NSA Series
- Firewalls > SonicWall SuperMassive 9000 Series
YES
NO